Has anyone tried managing an ESX server in a firewalled neutral zone from a Virtual Center server on a corporate network?
We're about to build an ESX server to host several VMs to communicate out to the Internet. The network segment connecting to the Internet is isolated by firewall from the corporate network, where the Virtual Center server is located.
Question is, what ports to I need open on the firewall to allow Virtual Center to communicate with ESX? I see in VC - Configuration a list of ports used by ESX, but not sure exactly which ones are required for VC.
It's really not a good idea to put your Service Console in a DMZ. Why not put your ESX server and Service Console on the corporate network then create vswitches with additional NIC's that connect to your DMZ.
See these links for some good information on using ESX in a DMZ...
Security Design of the Vmware Infrastructure 3 Architecture - http://www.vmware.com/pdf/vi3_security_architecture_wp.pdf
Vmware Infrastructure 3 Security Hardening - http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf
DMZ & VLANs - http://www.vmware.com/community/thread.jspa?messageID=347532񔶌
ESX & DMZ - http://www.vmware.com/community/thread.jspa?messageID=233918𹆾
ESX & DMZ - http://www.vmware.com/community/thread.jspa?messageID=344471񔆗
ESX VMs in the DMZ - http://www.vmware.com/community/thread.jspa?forumID=21&threadID=19402&messageID=222399#222399
Setting up a DMZ - http://www.vmware.com/community/thread.jspa?messageID=682595
Fyi if you find this post helpful, please award points using the Helpful/Correct buttons.
-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-
Thanks, Eric
Visit my website: http://vmware-land.com
-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-
In terms of just ESX and VC then ports
902 (for ESX) and 905 (VC), but if you then want to managed the guest as well you'll need to look into opening ports for your Windows Servers..
http://www.vmware.com/community/thread.jspa?messageID=473652
It's really not a good idea to put your Service Console in a DMZ. Why not put your ESX server and Service Console on the corporate network then create vswitches with additional NIC's that connect to your DMZ.
See these links for some good information on using ESX in a DMZ...
Security Design of the Vmware Infrastructure 3 Architecture - http://www.vmware.com/pdf/vi3_security_architecture_wp.pdf
Vmware Infrastructure 3 Security Hardening - http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf
DMZ & VLANs - http://www.vmware.com/community/thread.jspa?messageID=347532񔶌
ESX & DMZ - http://www.vmware.com/community/thread.jspa?messageID=233918𹆾
ESX & DMZ - http://www.vmware.com/community/thread.jspa?messageID=344471񔆗
ESX VMs in the DMZ - http://www.vmware.com/community/thread.jspa?forumID=21&threadID=19402&messageID=222399#222399
Setting up a DMZ - http://www.vmware.com/community/thread.jspa?messageID=682595
Fyi if you find this post helpful, please award points using the Helpful/Correct buttons.
-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-
Thanks, Eric
Visit my website: http://vmware-land.com
-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-
Eric, i would of said that, but needed to type quicker to post before you..!!
If you are licensing from Virtual Center rather than using host based licenses you also need to open ports 27000, 27010 tcp/udp along with 902 for VC agents and 905 for remote console.
This doc has a whole chapter on security that has port diagrams and tables...
Lots of good information here. My first thought was to put the service console on the corporate network. I ran that by one of the network people, and the initial answer was no, we keep all the connections on the DMZ network and provide access via firewall rules.
I'm expecting we will have some interesting conversations about this. Our Infosec doesn't always see eye-to-eye with other groups. We shall see.
They probably do not want you bridging the network with the ESX server which is something you do not want to do with traditional servers. You never want a server with multiple NIC's straddling the firewall. One exception to this is ESX. It is a very secure environment and if you read through some of the links I provided you will see this is a common practice when deploying ESX to DMZ's. If you stick your Service Console in the DMZ and it is hacked it's like handing over the keys to your car. All your VM's are vulnerable if the SC is compromised.
There are alot of unusual concepts in a VMware environment that many network guys are not used to. It's always a challenge trying to get them to change there ways. It helps to sit down with them and make them understand the unique networking features of Vmware (the concept of Vswitches, Vnics, Vmotion, Vlan tagging, Port groups, etc.). Once they understand more about it they tend to put up less resistance when you come to them with requests.